Flag: Tornado!
Hurricane!
|
|
Topic created on: June 17, 2007 14:54 CDT by bepetemish  .
/*
Hi,
I'm trying something new this week and im kinda stuck.
As example i made a console application with 2 functions.
Now, i want to be able to find the user-defined functions in the compiled application.
I know i can open it in notepad or hex editor and Crtl + F them, but lets pretent i don't know the names
of the user-defined functions.
Can this be done with a debugger?
What do i need to do?
*/
// The Source:
///////////////////////////////////////////////////
#include <cstdlib>
#include <iostream>
using namespace std;
int abcdef(void) //Function 1
{
return 0;
}
int ghijkl(void) //Function 2
{
return 0;
}
int main(int argc, char *argv[])
{
system("PAUSE");
return EXIT_SUCCESS;
}
/////////////////////////////////////////////////////
> bepetemish: /*
> Hi,
> I\'m trying something new this week and im kinda stuck.
> As example i made a console application with 2 functions.
> Now, i want to be able to find the user-defined functions in the compiled application.
> I know i can open it in notepad or hex editor and Crtl + F them, but lets pretent i don\'t know the names
> of the user-defined functions.
>
> Can this be done with a debugger?
> What do i need to do?
> */
Well, this is my first post on this forum, but I've been reversing now for about 6 months and following this site daily. Maybe I can help you a little. And help contribute to an awesome community.
First, exactly what are you trying to Ctrl-F? The function name? Because that honestly wont help you in a real world application as debugging symbols are removed in almost all production level code, and that would be the only way function names would be included afaik.
You might be implying a disassembler, which the good ones can fairly reliably determine the start of functions (IDA is what i use, the freeware version works pretty good). They wont include function names, unless the symbols are packaged with the binary. (again, not likely in any real world situation)
If you are however seriously trying to learn reversing (Which is probabily the same advice anyone on here would give you) Buy a couple of books or spend some weeks reading wiki's and web resources.
As far as how I got started, which has prepared me for some decent real world reversing (I've been doing some work in malware forensics) I suggest Reversing, Secrets of Reverse Engineering as a book to read, then using Hacker Disassembly Uncovered as a reference to learn how to identify higher level constructs. Working on crackme's helps a ton with experience in tool usage.
Anyways, hopefully I've helped a little. And if I completly missed the point of your post, sorry. Include more info next time =)
|
> bepetemish: /*
> Hi,
> I\'m trying something new this week and im kinda stuck.
> As example i made a console application with 2 functions.
> Now, i want to be able to find the user-defined functions in the compiled application.
> I know i can open it in notepad or hex editor and Crtl + F them, but lets pretent i don\'t know the names
> of the user-defined functions.
>
> Can this be done with a debugger?
> What do i need to do?
> */
you will be compiling this as c++ so most probably your user defined functions name will get demangled and would be
of the form _@@zasbce.123##
i think most aggressive optimising compilers will not include your function at all in the compiled exe as they are orphan function not called by anything
most likely the symbols will be stripped off so even if you know the names its going to difficult to find them with certainity
or since both of your function are similar the compiler may decide that its a common function and simply insert only one of it and replace the pointers to point to this single function
a sample g++ nix compiled and hexed with hte on your source code
��_Z6abcdefv+0 ��
�� ....... ! ;******************************************************** ��
�� ....... ! ; function abcdef() (global) ��
�� ....... ! ;******************************************************** ��
�� ....... ! _Z6abcdefv: ��
�� ....... ! push ebp ��
�� 8048611 ! xor eax, eax ��
�� 8048613 ! mov ebp, esp ��
�� 8048615 ! pop ebp ��
�� 8048616 ! ret ��
that was compiled without -s switch so you see atleast some referance
if you compile that with -s switch
like say
gcc -o somecpp somecpp.cpp -Wall -O3 -s
you will see you cant find even the binary pattern of your function as the compiler ripped it off as useless function doing nothing important
|
lafkuku,
First, exactly what are you trying to Ctrl-F? The function name? Because that honestly wont help you in a real world application
==========================================================
Lol, i know :P. In my question i said:
"I know i can open it in notepad or hex editor and Crtl + F them, but lets pretent i don't know the names."
With that i tried to say that Crtl + F isn't the solution im search for.
anonymouse,
Hmm, thats no good news. If the functions do get called and they do react with let's say a print. Then it will be easier to find them?
If so, am i right this can be done in a debugger? I heard about IDA in another forum, is IDA the tool that can help me to succeed?
Tnx for the help, both of you.
|
if they get called and debugging information is available then names makes sense else they simply do not make sense
see your code modified to make them call and then disassembled
#include <cstdlib>
#include <iostream>
using namespace std;
int abcdef(void) //Function 1
{
printf("hello dummy function no 1\n");
return 0;
}
int ghijkl(void) //Function 2
{
printf("hello dummy function no 1\n");
return 0;
}
#pragma argsused
int main(int argc, char *argv[])
{
abcdef();
ghijkl();
system("PAUSE");
return EXIT_SUCCESS;
}
/*
with source level debugging enabled
00401150 somecrap.abcdef PUSH somecrap.0040B128 ; /format = "hello dummy
function no 1
"
00401155 CALL somecrap.___org_printf ; \___org_printf
0040115A POP ECX ; somecrap.00408A7E
0040115B XOR EAX, EAX
0040115D RETN
0040115E NOP
0040115F NOP
00401160 somecrap.ghijkl PUSH somecrap.0040B143 ; /format = "hello dummy
function no 1
"
00401165 CALL somecrap.___org_printf ; \___org_printf
0040116A POP ECX ; somecrap.00408A7E
0040116B XOR EAX, EAX
0040116D RETN
0040116E NOP
0040116F NOP
00401170 somecrap.main PUSH EBP
00401171 MOV EBP, ESP
00401173 CALL somecrap.abcdef ; [somecrap.abcdef
00401178 CALL somecrap.ghijkl ; [somecrap.ghijkl
0040117D PUSH somecrap.0040B15E ; /command = "PAUSE"
00401182 CALL somecrap.system ; \system
00401187 POP ECX ; somecrap.00408A7E
00401188 XOR EAX, EAX
0040118A POP EBP ; somecrap.00408A7E
0040118B RETN
*/
/*
without debugging info
00401150 PUSH somecrap.0040B128 ; /Arg1 = 0040B128 ASCII "hello dummy function no 1
"
00401155 CALL somecrap.00403B5C ; \somecrap.00403B5C
0040115A POP ECX ; kernel32.77E814C7
0040115B XOR EAX, EAX
0040115D RETN
0040115E NOP
0040115F NOP
00401160 PUSH somecrap.0040B143 ; /Arg1 = 0040B143 ASCII "hello dummy function no 1
"
00401165 CALL somecrap.00403B5C ; \somecrap.00403B5C
0040116A POP ECX ; kernel32.77E814C7
0040116B XOR EAX, EAX
0040116D RETN
0040116E NOP
0040116F NOP
00401170 PUSH EBP
00401171 MOV EBP, ESP
00401173 CALL somecrap.00401150
00401178 CALL somecrap.00401160
0040117D PUSH somecrap.0040B15E ; /Arg1 = 0040B15E ASCII "PAUSE"
00401182 CALL somecrap.004086CC ; \somecrap.004086CC
00401187 POP ECX ; kernel32.77E814C7
00401188 XOR EAX, EAX
0040118A POP EBP ; kernel32.77E814C7
0040118B RETN
*/
|
Opps, well what i meant was that function names are typically not included. There is usually no way to recover the original names of functions short of reversing their intent and assigning them your own name. Not that ctrl-f was what you were attempting to do. Sorry for any confusion.
As far as IDA. IDA will identify most standard library calls, Windows native calls, COM, and a few other's out the box. But you can also write your own signatures to extend IDA. Go read DataRescues homepage and check out the free version. Knowing what are the standard calls, will help you isolate non standard packages and user created functions.
Sorry for any confusion. Like I said, I'm still knew to this stuff too =).
|
I edited the source a little so it activates the functions on key press. (GetAssyncKeyState, the key is arrow up)
Then i opend my new program in OllyDBG and this is what I got:
00401402 calls 00401390
00401407 calls 004013AA
Now I hope you can confirm what i say is true. I say:
00401402 and 00401407 are used to call the functions. They call 00401390 and 004013AA, so i guess the following are the functions:
abcdef:
00401390
00401391
00401393
00401396
0040139D
004013A2
004013A7
004013A8
ghijkl:
Same kind of row as abcdef starting with PUSH EBP(004013AA) and end with RETURN (004013C2).
After this is confirmed or corrected i hope you two can stay tuned because i started with an DLL in C++ to basehook these functions. I got some problems with it but that might be because im hooking the wrong address, so i wait for you response.
and lafkuku you're right, this truly is an awesome and helpfull community. And tnx for the modified code, after i used your code it was easy to find the "as i think" good part in olly.
|
|
You found your two functions correctly. If you're going to be hooking or reversing, you should probably get more familiar with assembly language, though. lafkuku had some good advice above on starting points for learning assembly / reverse engineering. Kris Kaspersky has even made a few of his books freely available online - I don't have the links on hand, but he posted them here on OpenRCE.
|
Okey, great. I finally understand that now. Im downloading some ebooks people adviced me to read, until they are ready i already ask my last question for now.
In the following program the user needs to press the UP Arrow to activate function abcdef and ghijkl. Now i want to make a dll that activates only function abcdef when pressing the DOWN Arrow. Ill post the 2 sources:
Application:
#include <cstdlib>
#include <iostream>
#include <windows.h>
using namespace std;
int abcdef(void) //Function 1
{
printf("hello dummy function no 1\n");
return 0;
}
int ghijkl(void) //Function 2
{
printf("hello dummy function no 2\n");
return 0;
}
#pragma argsused
int main(int argc, char *argv[])
{
while (true)
{
if (GetAsyncKeyState(0x26)) //0x26 means, arrow up
{
abcdef();
ghijkl();
}
Sleep(10);
}
}
The DLL:
#include "dll.h"
#include "notes.h"
#include <math.h>
#include <windows.h>
/***************Typedef to call Internal Function****************/
typedef void (__cdecl* abcdefFunction)(void);
abcdefFunction abcdef = (abcdefFunction)0x00401402; //abcdef Address
/****************************************************************/
/*************************Main Function*************************/
void Main(void)
{
while (true) // Infinite Loop ... Will run until Gunz close.
{
if (GetAsyncKeyState(0x28)) //0x76 is the down key
{
abcdef();
Sleep(500);
}
Sleep(10); //Delay between each check otherwise -> LAG!!
}
}
/****************************************************************/
/*****************************Dll Entry-Point*******************/
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
if(ul_reason_for_call = DLL_PROCESS_ATTACH)
{
DisableThreadLibraryCalls(hModule); //Thanks Microsoft =D
CreateThread(NULL,0,(unsigned long (__stdcall *)(void *))Main,NULL,0,NULL); //Thanks Microsoft =D
//Add message box pop-up here
return TRUE;
}
return TRUE;
}
/****************************************************************/
When i inject this dll and press the DOWN Arrow nothing happens, do i hook the wrong address or am i forgetting something?
|
Note: Registration is required to post to the forums.
|
|
|
|
There are 31,328 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}